it position of trust designation

Guest Lecturer: Dr. Shawn P. Murray, C|CISO, CISSP, CRISC

IT Position of Trust Designation ADP-IT Requirements for Government Contracts Cyber Security Brief

Presented to the Defense Acquisition University 23 May 2013 Updated to add DIACAP – 8500.2 Controls to RMF - 800-53 Controls Alignment 22 November 2015

Agenda

– ADP-IT Defined

– History

– Basis – Public Law

– Application & Compliance Directives

– DoD 5200.2-R

– DODI 8500.2, February 6, 2003

– DISA STIG - Traditional Security

– Strategy

ADP-IT Requirements for Government Contracts Cyber Security Brief

2

ADP & IT Defined

ADP - Automated Data Processing

IT - Information Technology (Both terms are used synonymously)

ADP/IT requirements identify a specific “Position of Trust” for IT work that is to

be accomplished by certain individuals on government information systems.

It is meant to reduce the risk of the Insider Threat

There are three ADP/IT Position of Trust levels:

ADP/IT-I, ADP/IT-II & ADP/IT-III

ADP/IT Positions of Trust are required to be recorded on a DD Form 2875 and

assigned to specific personnel in the Joint Personnel Adjudication System

(JPAS).


3

ADP & IT Defined ADP - Automated Data Processing

IT - Information Technology (Both terms are used synonymously)

ADP/IT requirements apply to Military, Govt. Civilian and Contractor Personnel

Military – MOS or AFSC

Govt. Civilian – Described in Position Description (PD)

ADP/IT requirements for contractors are derived from a Statement of Work (SOW) supporting

a DoD contract which includes IT Services or General Access to Government Systems or

Sensitive Information to fulfill a contractual need.

• The SOW should have specific language for persons who will have access to

government systems and/or information.

− IE: Privileged User Access or Controlled Unclassified Information (CUI)

• ADP/IT requirements are normally articulated in section 11.l of the DD254 which is

married to the SOW.

• In many instances, the DD254 does not articulate the correct ADP/IT requirements or

does not align to the SOW properly.

− This is normally due to a lack of knowledge of the requirement or a missing

contract security review by an experienced security professional (government & contractor)

− When this happens the risk to the Insider Threat can be greater


4

History - OMB Circular A-71 (and Transmittal Memo #B1), July 1978 - OMB Circular A-130, December 12, 1985 - FPM Letter 732, November 14, 1978 These artifacts contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees as well as the criteria for designating ADP and ADP related positions outlined in public law. ► Title 32: National Defense

PART 154 - DEPARTMENT OF DEFENSE PERSONNEL SECURITY

PROGRAM REGULATION

Subpart K - Program Management

Appendix J to Part 154 (ADP Position Categories and Criteria for Designating Positions)


5

Appendix J to Part 154 - ADP Position Categories and Criteria for Designating Positions

OMB Circular A-71 (and Transmittal Memo #B1), July 1978 OMB Circular A-130, December 12, 1985, and FPM Letter 732, November 14, 1978

contain the criteria for designating positions under the existing categories used in the personnel security program for Federal civilian employees

as well as the criteria for designating ADP and ADP related positions. This policy is outlined below:

ADP Position Categories

1. Critical-Sensitive Positions

ADP-I positions. Those positions in which the incumbent is responsible for the planning, direction, and implementation of a computer

security program; major responsibility for the direction, planning and design of a computer system, including the hardware and software;

or, can access a system during the operation or maintenance in such a way, and with a relatively high risk for causing grave damage, or

realize a significant personal gain.

2. Noncritical-Sensitive Positions

ADP-II positions. Those positions in which the incumbent is responsible for the direction, planning, design, operation, or maintenance of a

computer system, and whose work is technically reviewed by a higher authority of the ADP-I category to insure the integrity of the system.

4. Nonsensitive Positions

ADP-III positions. All other positions involved in computer activities.

In establishing the categories of positions, other factors may enter into the determination, permitting placement in higher or lower

categories based on the agency's judgement as to the unique characteristics of the system or the safeguards protecting the system.

Criteria for Designating Positions

Three categories have been established for designating computer and computer-related positions—ADP-I, ADP-II, and ADP-III. Specific criteria

for assigning positions to one of these categories is displayed on the next slide:


6


Specific Criteria as written into Title 32 Part 154 (Appendix J)

7

Compliance Requirements

DISA STIG Traditional Security Checklist - Version 1, Release 2 (July 24, 2013) DoD 5200.2-R, Personnel Security Program, (January 1987) DoDI 8500.2 IA Controls(DIACAP) NIST-800.53 Controls (RMF) DCIT-1 800-53: PS-7, SA-9 PECF-1 800-53: PE-2, PE-2(1), PE-7 & MA-5 PECF-2 800-53: PE-2, PE-2(3) & PE-7 PRAS-1 800-53: PS-3, PS-6 & PS-6(1) PRAS-2 800-53: PS-3(1), PS-6 & PS-6(2) PRNK-1 800-53: PS-3, PS-6(1) & PS-6(2) ECPA-1 800-53: AC-2 IAAC-1 800-53: AC-2


8

8500.2 DCIT-1 V0008392 (CAT I) Acquisition does not address IA roles

Vulnerability Acquisition does not address IA roles and responsibilities. 8500.2 IA Control: DCIT-1 References: Department of Defense Instruction 8500.2 (DODI 8500.2)

Vulnerability Discussion Security procedures are vital to ensure the integrity, confidentiality and availability of systems and data. In outsourcing situations the requirements and responsibilities to perform them must be spelled out to ensure all are accomplished. Checks 8500.2 DCIT-1: Examine acquisition and outsourcing documents including task orders to ensure IT services explicitly addresses

Government, service provider, and end user IA roles and responsibilities. Ensure the organization monitors compliance. Default Finding Details The following issues were noted: Government, service provider, and end user IA roles and responsibilities are not explicitly stated in acquisition or

outsourcing requirements. The organization is not monitoring compliance of IT roles and responsibilities in outsourcing agreements. OPEN: __________ NOT A FINDING: __________ NOT REVIEWED: __________ NOT APPLICABLE: __________

8500.2 DCIT-1 Fixes: Amend IT services acquisition and outsourcing documents including task orders to ensure explicitly addresses

Government, service provider, and end user IA roles and responsibilities are explicitly addressed . Insure the organization monitors contractor compliance with all contract provisions plus applicable federal laws,

directives, policies, regulations, standards, guidance, and established service level agreements .


9


PS-7: Third-Party Personnel Security Control Text: "The organization: a. Establishes personnel security requirements including security roles and responsibilities for third-party

providers; b. Documents personnel security requirements; and c. Monitors provider compliance."

Supplemental Guidance: Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. The organization explicitly includes personnel security requirements in acquisition-related documents.

NIST 800-53 PS-7

10


SA-9: External Information System Services

Control Text: "The organization: a. Requires that providers of external information system services comply with organizational information security requirements and

employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;

b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and

c. Monitors security control compliance by external service providers."

Supplemental Guidance: An external information system service is a service that is implemented outside of the authorization boundary of the organizational information system (i.e., a service that is used by, but not a part of, the organizational information system). Relationships with external service providers are established in a variety of ways, for example, through joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use of external information system services remains with the authorizing official. Authorizing officials require that an appropriate chain of trust be established with external service providers when dealing with the many issues associated with information security. For services external to the organization, a chain of trust requires that the organization establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered to the organization. The extent and nature of this chain of trust varies based on the relationship between the organization and the external provider. Where a sufficient level of trust cannot be established in the external services and/or service providers, the organization employs compensating security controls or accepts the greater degree of risk. The external information system services documentation includes government, service provider, and end user security roles and responsibilities, and any service-level agreements. Service-level agreements define the expectations of performance for each required security control, describe measurable outcomes, and identify remedies and response requirements for any identified instance of noncompliance.

NIST 800-53 SA-9

11

“Failure to designate position sensitivity could result in personnel having access to classified information or other sensitive duties (such as privileged access to DoD Information Systems) without the required investigative and adjudicative prerequisites”

STIG Check #3. For privileged users (eg, SA, IAO, NSO): Check to ensure that privileged users if military or government civilian are in critical sensitive positions and have a successfully adjudicated SSBI with 5-year periodic reviews. Contractors performing work in privileged IS roles must also undergo successful SSBIs with 5-year reviews. Privileged users must undergo an SSBI regardless of the security clearance level required (eg, even if no clearance or only Confidential or Secret is required). Foreign Nationals or Local Nationals employed by DoD ARE NOT AUTHORIZED to have (IT-I) privileged access to US Information Systems.


12

DoDI 8500.2 Enclosure 3 (page 46)

Privileged Access = IT-I Position of Trust (Privileged Access = Privileged User - (PU)

Identifies PU access for:

• DAA or IAM (ISSM) (government)

• IAO (ISSO) • Monitors or Testers (CND & Developers)

• Network Administrators • Systems Administrators • Maintenance of IA products (ACAS, HBSS, PKI, EMET, AV…)

Requires a final SSBI prior to being provided PU access to any IT systems (US Military, Civilian or Contractor)


13

SSBI Investigation

IT-I Position of Trust

Designation

Personnel Category:

• Govt. Civilian

• Contractor


14


Funding Who pays for the SSBI? - Government Civilian and Military – The Service Component or

Agency (OPM) - Contractors – DSS pays for SSBIs for contractors that require

Top Secret clearances - If the contractor only needs a SSBI for privileged user

access and does not need a Top Secret Clearance, then the Agency or Service Component the contractor is assigned to has to budget for and fund the requirement.

15


Strategy - Most Department of Defense agencies and service components have

applied IT-I, IT-II, & IT-III to privileged users differently due to funding the SSBI, which in 2013 was estimated to be $3700 per person.

- Strategy 1: Align the SSBI to a person who has a requirement to access Top Secret information so DSS has to funds the investigation.

- Risk 1: A person can be provided access to TS information that does not really have a need to know

- Strategy 2: Assign one privileged user as an IT-I and all other privileged users as an IT-II to save money.

- Risk 1: An IT-II who is being provided privileged user access is not being properly vetted as required (Insider Threat)

- Risk 2: An IT-I privileged user is required to directly oversee and validate tasks completed by all IT-II privileged users they supervise. This is not always feasible in an organization with multiple IT-II privileged users

- Strategy 3: Do not address the IT Position of Trust for privileged users - Risk 1: This is the greatest risk and does not protect against the Insider Threat. NOTE: This is the most common approach due to lack of knowledge by acquisition, contracting and security personnel

16

Where do we go from here?

• All ISSMs managing Cyber Security on a DoD contract should already have:

1. List of all Privileged Users for their specific areas (IA, SA, NA/E, SE, CND, etc.)

2. Privileged User Agreements for them (signed)

3. Privileged User training certificate

4. 8570 Certification IAT or IAM

5. 8570 Certification Computing Environment (CE)

6. Completed 2875s for all PU personnel

7. HBSS training certificate if required by one of your PUs

8. ACAS training certification if required by one of your PUs

9. ISSO appointment letters for your appointed ISSOs

• A Review/Audit of contracts should be considered

• Statement of work should identify privileged user roles

• DD254 Should also identify IT-I, IT-II & IT-III Positions of Trust

• A strategy should be developed to address deficiencies


17

References – http://www.ecfr.gov/cgi-bin/text-

idx?c=ecfr&sid=aa33bc45d44c89541aef4096bf908831&rgn=div5&view=text&

node=32:1.1.1.6.75&idno=32

– https://www.law.cornell.edu/cfr/text/32/part-154/appendix-J

– http://iase.disa.mil/stigs/Lists/stigs-masterlist/policy-traditional.aspx

– http://csrc.nist.gov/groups/SMA/fisma/framework.html

– http://www.cac.mil/docs/DoDD-8500.2.pdf

– http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf


18

http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=aa33bc45d44c89541aef4096bf908831&rgn=div5&view=text&node=32:1.1.1.6.75&idno=32







https://www.law.cornell.edu/cfr/text/32/part-154/appendix-J






http://iase.disa.mil/stigs/Lists/stigs-masterlist/policy-traditional.aspx





http://csrc.nist.gov/groups/SMA/fisma/framework.html

http://www.cac.mil/docs/DoDD-8500.2.pdf



http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf



Questions?

Backup Slides Available


19

Industrial Security - DD Form 254

ID-01.02.01 - Industrial Security - DD Form 254

Vulnerability Discussion: Failure to complete a DD Form 254 (Contract Security Classification Specification) or to specify security clearance and/or IT requirements for all contracts that require access to classified material can result in unauthorized personnel having access to classified material or mission failure if personnel are not authorized the proper access

IA Controls PECF-1, PRAS-2, PRNK-1

VMS Target Traditional Security DISA FSO VMS Target Traditional Security - 2506 1. DD Forms 254 must be on hand for each classified contract. 2. 2. All security requirements must be properly detailed on the form, particularly for Information technology related requirements, such as

IT Position levels for the positions or types of work to be performed.

1. Check there are DD Forms 254 available for all classified contracts. NOTE: These forms may be held by the site contracting officials but should be available to the site security manager and information security manager for review.

2. Conduct a cursory review of the DD 254 to ensure all security requirements are properly detailed on the form, especially with regard to Information Assurance (ie., IT Position level designation). NOTE: Applicable to tactical environments if there are contractor personnel performing classified work. This form will likely only be found at fixed locations rather than field locations. While the DD 254 may not be available on site or even in Theater, the completed document's location should be identified and if possible a scanned and emailed copy requested for review. This will likely only be able to occur via SIPRNet email because some of these forms contain classified information, while all others are only FOUO.


20

Industrial Security - Contractor VALs ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs) Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel.

IA Controls -ECAN-1, PECF-1, PRAS-2 VMS Target Traditional Security - DISA FSO VMS Target - Traditional Security – 2506

Checks: • 1. Written procedures must be developed that cover the requirements and process for Visit Authorization Letters (VAL) for contractors

visiting and/or employed at government sites. • 2. All government sites must have a VAL on file for each contractor visiting the site temporarily and also for permanent party contractors

routinely working/physically employed at the site.

Notes: JPAS should be used for most short term "visitor" VALs; however, in addition to JPAS (or as an alternative to JPAS for contractors who do not have JPAS accounts) VALs may also be passed via hard copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. A hard copy VAL for assigned contractor employees will help to eliminate substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc.


21

Industrial Security - Contractor VALs (Continued from previous page)

ID-02.03.01 - Industrial Security - Contractor Visit Authorization Letters (VALs) Vulnerability Discussion: Failure to require Visit Authorization Letters (VALs) for contractor visits could result in sensitive or classified materials being released to unauthorized personnel.

IA Controls -ECAN-1, PECF-1, PRAS-2 VMS Target Traditional Security - DISA FSO VMS Target - Traditional Security – 2506

Checks: • 1. Check with the security manager or personnel security specialists to ensure there are written procedures for contractors visiting

government sites. • 2. Ask to see copies of the site VALs and/or determine site VAL process based on the processing of contractors on your inspection team. • 3. Ensure all government facilities have a VAL on file for all contractors visiting the site - to include permanent party contractors.

Notes: • 1. JPAS should and will likely be used for most short term "visitor" VALs; however, in addition to JPAS the VAL may also be passed via hard

copy or electronically using email (mail, fax, email) for "assigned" contractor employees. This is because JPAS is by design intended for short term visits; whereas, contractor "employee" VALs should require additional information (such as contract number, COR identification, etc.) that cannot be input or passed via JPAS. Lack of a hard copy VAL alone for assigned contractor employees at a site will not necessarily be cause for a finding if a VAL in JPAS is available. Reviewers must use discretion when evaluating if the lack of hard copy VAL has caused any substantive confusion over the company Facility Clearance Level (FCL), individual contract employee security clearance levels, IT position assignments based on job descriptions (found in applicable Statements of Work (SOW and/or DD 254), etc. when deciding if a finding is warranted. For instance an individual employee's JPAS access might indicate they have TS clearance - but the FCL for the company is only at the Secret level and/or the contract only allows for up to Secret access. If the site is allowing access to TS for this individual - then the lack of a hard copy VAL could be cited as a finding, in addition to any other related findings for this discovery.

• 2. Applies in a tactical environment if contract personnel visit or are assigned. • 3. Reviewers should be sure to note in the findings report if the finding concerns JPAS issues for short term contractor visitors or if it

concerns "hard copy" VALs for assigned contractor employees.


22